

<!DOCTYPE html>
<html lang="zh-CN" data-default-color-scheme=auto>



<head>
  <meta charset="UTF-8">
  <link rel="apple-touch-icon" sizes="76x76" href="/img/favicon.png">
  <link rel="icon" href="/img/favicon.png">
  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, shrink-to-fit=no">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  
  <meta name="theme-color" content="#2f4154">
  <meta name="author" content="Cheney">
  <meta name="keywords" content="Coding">
  
    <meta name="description" content="Nmap(Network Mapper(网络映射器))是一个网络连接端扫描软件，用来扫描网上电脑开放的网络连接端。确定哪些服务运行在哪些连接端，并且推断计算机运行哪个操作系统（这是亦称 fingerprinting）。它是网络管理员必用的软件之一，以及用以评估网络系统安全。Nmap包含四项基本功能：主机发现（Host Discovery）端口扫描（Port Scanning）版本侦测（Versio">
<meta property="og:type" content="article">
<meta property="og:title" content="Nmap工具的安装与实验(网络扫描)">
<meta property="og:url" content="https://cheney822.gitee.io/2022/03/05/Nmap%E5%B7%A5%E5%85%B7%E7%9A%84%E5%AE%89%E8%A3%85%E4%B8%8E%E4%BD%BF%E7%94%A8/index.html">
<meta property="og:site_name" content="Cheney blog">
<meta property="og:description" content="Nmap(Network Mapper(网络映射器))是一个网络连接端扫描软件，用来扫描网上电脑开放的网络连接端。确定哪些服务运行在哪些连接端，并且推断计算机运行哪个操作系统（这是亦称 fingerprinting）。它是网络管理员必用的软件之一，以及用以评估网络系统安全。Nmap包含四项基本功能：主机发现（Host Discovery）端口扫描（Port Scanning）版本侦测（Versio">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://imgbed.cheney.cc/picgo/image-20220305141030035-20220405204307985-20220405211130726.png">
<meta property="og:image" content="https://imgbed.cheney.cc/picgo/image-20220305141048987-20220405204322019-20220405211130805.png">
<meta property="og:image" content="https://imgbed.cheney.cc/picgo/image-20220305141059297-20220405204327061-20220405211130841.png">
<meta property="og:image" content="https://imgbed.cheney.cc/picgo/image-20220305141126938-20220405204335492-20220405211130885.png">
<meta property="og:image" content="https://imgbed.cheney.cc/picgo/image-20220305141133430-20220405204346221-20220405211130950.png">
<meta property="og:image" content="https://imgbed.cheney.cc/picgo/image-20220305141911689-20220405204358009-20220405211130996.png">
<meta property="og:image" content="https://imgbed.cheney.cc/picgo/image-20220305142104990-20220405204414953-20220405211131035.png">
<meta property="og:image" content="https://imgbed.cheney.cc/picgo/image-20220305142133908-20220405204424230-20220405211131089.png">
<meta property="og:image" content="https://imgbed.cheney.cc/picgo/image-20220305142207580-20220405204428987-20220405211131141.png">
<meta property="og:image" content="https://imgbed.cheney.cc/picgo/image-20220305142245486-20220405204436641-20220405211131214.png">
<meta property="article:published_time" content="2022-03-05T06:30:00.000Z">
<meta property="article:modified_time" content="2022-04-05T13:14:31.779Z">
<meta property="article:author" content="Cheney">
<meta property="article:tag" content="网络">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:image" content="https://imgbed.cheney.cc/picgo/image-20220305141030035-20220405204307985-20220405211130726.png">
  
  
  <title>Nmap工具的安装与实验(网络扫描) - Cheney blog</title>

  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/css/bootstrap.min.css" />


  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/github-markdown-css@4/github-markdown.min.css" />
  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/hint.css@2/hint.min.css" />

  
    
    
      
      <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/highlight.js@10/styles/github-gist.min.css" />
    
  

  
    <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3/dist/jquery.fancybox.min.css" />
  


<!-- 主题依赖的图标库，不要自行修改 -->

<link rel="stylesheet" href="//at.alicdn.com/t/font_1749284_ba1fz6golrf.css">



<link rel="stylesheet" href="//at.alicdn.com/t/font_1736178_lbnruvf0jn.css">


<link  rel="stylesheet" href="/css/main.css" />

<!-- 自定义样式保持在最底部 -->


  <script id="fluid-configs">
    var Fluid = window.Fluid || {};
    var CONFIG = {"hostname":"cheney822.gitee.io","root":"/","version":"1.8.14","typing":{"enable":true,"typeSpeed":70,"cursorChar":"_","loop":false},"anchorjs":{"enable":true,"element":"h1,h2,h3,h4,h5,h6","placement":"right","visible":"hover","icon":""},"progressbar":{"enable":true,"height_px":3,"color":"#29d","options":{"showSpinner":false,"trickleSpeed":100}},"copy_btn":true,"image_zoom":{"enable":true,"img_url_replace":["",""]},"toc":{"enable":true,"headingSelector":"h1,h2,h3,h4,h5,h6","collapseDepth":1},"lazyload":{"enable":true,"loading_img":"/img/loading.gif","onlypost":false,"offset_factor":2},"web_analytics":{"enable":false,"baidu":null,"google":null,"gtag":null,"tencent":{"sid":null,"cid":null},"woyaola":null,"cnzz":null,"leancloud":{"app_id":null,"app_key":null,"server_url":null,"path":"window.location.pathname","ignore_local":false}},"search_path":"/local-search.xml"};
  </script>
  <script  src="/js/utils.js" ></script>
  <script  src="/js/color-schema.js" ></script>
<meta name="generator" content="Hexo 5.4.1"></head>


<body>
  <header style="height: 70vh;">
    <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
  <div class="container">
    <a class="navbar-brand" href="/">
      <strong>Cheney Blog</strong>
    </a>

    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
            data-target="#navbarSupportedContent"
            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
      <div class="animated-icon"><span></span><span></span><span></span></div>
    </button>

    <!-- Collapsible content -->
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav ml-auto text-center">
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/">
                <i class="iconfont icon-home-fill"></i>
                首页
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/archives/">
                <i class="iconfont icon-archive-fill"></i>
                归档
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/categories/">
                <i class="iconfont icon-category-fill"></i>
                分类
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/tags/">
                <i class="iconfont icon-tags-fill"></i>
                标签
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/about/">
                <i class="iconfont icon-user-fill"></i>
                关于
              </a>
            </li>
          
        
        
          <li class="nav-item" id="search-btn">
            <a class="nav-link" target="_self" href="javascript:;" data-toggle="modal" data-target="#modalSearch" aria-label="Search">
              &nbsp;<i class="iconfont icon-search"></i>&nbsp;
            </a>
          </li>
        
        
          <li class="nav-item" id="color-toggle-btn">
            <a class="nav-link" target="_self" href="javascript:;" aria-label="Color Toggle">&nbsp;<i
                class="iconfont icon-dark" id="color-toggle-icon"></i>&nbsp;</a>
          </li>
        
      </ul>
    </div>
  </div>
</nav>

    <div class="banner" id="banner" parallax=true
         style="background: url('https://imgbed.cheney.cc/Blog_config/default.png') no-repeat center center;
           background-size: cover;">
      <div class="full-bg-img">
        <div class="mask flex-center" style="background-color: rgba(0, 0, 0, 0.3)">
          <div class="page-header text-center fade-in-up">
            <span class="h2" id="subtitle" title="Nmap工具的安装与实验(网络扫描)">
              
            </span>

            
              <div class="mt-3">
  
  
    <span class="post-meta">
      <i class="iconfont icon-date-fill" aria-hidden="true"></i>
      <time datetime="2022-03-05 14:30" pubdate>
        2022年3月5日 下午
      </time>
    </span>
  
</div>

<div class="mt-1">
  
    <span class="post-meta mr-2">
      <i class="iconfont icon-chart"></i>
      7.1k 字
    </span>
  

  
    <span class="post-meta mr-2">
      <i class="iconfont icon-clock-fill"></i>
      
      
      36 分钟
    </span>
  

  
  
</div>

            
          </div>

          
        </div>
      </div>
    </div>
  </header>

  <main>
    
      

<div class="container-fluid nopadding-x">
  <div class="row nomargin-x">
    <div class="d-none d-lg-block col-lg-2"></div>
    <div class="col-lg-8 nopadding-x-md">
      <div class="container nopadding-x-md" id="board-ctn">
        <div class="py-5" id="board">
          <article class="post-content mx-auto">
            <!-- SEO header -->
            <h1 style="display: none">Nmap工具的安装与实验(网络扫描)</h1>
            
            <div class="markdown-body">
              <h2 id="Nmap概述"><a href="#Nmap概述" class="headerlink" title="Nmap概述"></a>Nmap概述</h2><p>Nmap(Network Mapper(网络映射器))是一个网络连接端扫描软件，用来扫描网上电脑开放的网络连接端。确定哪些服务运行在哪些连接端，并且推断计算机运行哪个操作系统（这是亦称 fingerprinting）。它是网络管理员必用的软件之一，以及用以评估网络系统安全。</p>
<p>正如大多数被用于网络安全的工具，nmap 也是不少黑客及骇客（又称脚本小子）爱用的工具 。系统管理员可以利用nmap来探测工作环境中未经批准使用的服务器，但是黑客会利用nmap来搜集目标电脑的网络设定，从而计划攻击的方法。</p>
<p>Nmap包含四项基本功能：主机发现（Host Discovery）端口扫描（Port Scanning）版本侦测（Version Detection）操作系统侦测（Operating System Detection）而这四项功能之间，又存在大致的依赖关系（通常情况下的顺序关系，但特殊应用另外考虑），首先需要进行主机发现，随后确定端口状况，然后确定端口上运行具体应用程序与版本信息，然后可以进行操作系统的侦测。而在四项基本功能的基础上，Nmap提供防火墙与IDS（IntrusionDetection System,入侵检测系统）的规避技巧，可以综合应用到四个基本功能的各个阶段；另外Nmap提供强大的NSE（Nmap Scripting Language）脚本引擎功能，脚本可以对基本功能进行补充和扩展。</p>
<img src="https://imgbed.cheney.cc/picgo/image-20220305141030035-20220405204307985-20220405211130726.png" srcset="/img/loading.gif" lazyload alt="image-20220305141030035" style="zoom: 50%;" />

<p>通常，一个简单的使用ICMP协议的ping操作可以满足一般需求；也可以深入探测UDP或者TCP端口，直至主机所 使用的操作系统；还可以将所有探测结果记录到各种格式的日志中， 供进一步分析操作。</p>
<h2 id="Nmap安装"><a href="#Nmap安装" class="headerlink" title="Nmap安装"></a>Nmap安装</h2><p>首先访问Nmap官网，获得windows对应版本的安装包。</p>
<img src="https://imgbed.cheney.cc/picgo/image-20220305141048987-20220405204322019-20220405211130805.png" srcset="/img/loading.gif" lazyload alt="image-20220305141048987" style="zoom:50%;" />

<p>根据提示,一直安装即可</p>
<img src="https://imgbed.cheney.cc/picgo/image-20220305141059297-20220405204327061-20220405211130841.png" srcset="/img/loading.gif" lazyload alt="image-20220305141059297" style="zoom:50%;" />

<p>软件主界面</p>
<img src="https://imgbed.cheney.cc/picgo/image-20220305141126938-20220405204335492-20220405211130885.png" srcset="/img/loading.gif" lazyload alt="image-20220305141126938" style="zoom:50%;" />

<p>可以看出其内置了很多扫描类型，支持查看多种扫描结果，UI界面比较直观</p>
<p>此外，还可以在linux终端内安装，更加灵活。</p>
<img src="https://imgbed.cheney.cc/picgo/image-20220305141133430-20220405204346221-20220405211130950.png" srcset="/img/loading.gif" lazyload alt="image-20220305141133430" style="zoom:50%;" />

<h2 id="Nmap使用"><a href="#Nmap使用" class="headerlink" title="Nmap使用"></a>Nmap使用</h2><p>查看linux下nmap的帮助信息。(执行命令<code>nmpa -h</code>)</p>
<blockquote>
<p>Nmap 7.80 ( <a target="_blank" rel="noopener" href="https://nmap.org/">https://nmap.org</a> )</p>
</blockquote>
<blockquote>
<p>Usage: nmap [Scan Type(s)] [Options] {target specification}</p>
</blockquote>
<p>可见nmap指令的一般格式是：<code>nmap \[扫描类型(可叠加)\] \[选项\] \[目标\]</code></p>
<p>其中目标可以有如下格式：</p>
<figure class="highlight pf"><table><tr><td class="gutter"><div class="code-wrapper"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></div></td><td class="code"><pre><code class="hljs pf">TARGET SPECIFICATION:<br>Can <span class="hljs-built_in">pass</span> hostnames, IP addresses, networks, etc.<br>Ex: scanme.nmap.org, microsoft.com/<span class="hljs-number">24</span>, <span class="hljs-number">192.168</span>.<span class="hljs-number">0.1</span>; <span class="hljs-number">10.0</span>.<span class="hljs-number">0</span>-<span class="hljs-number">255.1</span>-<span class="hljs-number">254</span><br>-iL <span class="hljs-variable">&lt;inputfilename&gt;</span>: Input <span class="hljs-keyword">from</span> list of hosts/networks<br>-iR <span class="hljs-variable">&lt;num hosts&gt;</span>: Choose <span class="hljs-keyword">random</span> targets<br>--exclude <span class="hljs-variable">&lt;host1[,host2][,host3],...&gt;</span>: Exclude hosts/networks<br>--excludefile <span class="hljs-variable">&lt;exclude_file&gt;</span>: Exclude list <span class="hljs-keyword">from</span> file<br></code></pre></td></tr></table></figure>

<p>其他可以指定的参数(部分)有:</p>
<ul>
<li><p>HOST DISCOVERY: 目标勘测的手段</p>
</li>
<li><p>SCAN TECHNIQUES: 指定扫描的技术</p>
</li>
<li><p>PORT SPECIFICATION AND SCAN ORDER: 指定端口和扫描顺序</p>
</li>
<li><p>SERVICE/VERSION DETECTION: 服务/版本 勘测</p>
</li>
<li><p>OS DETECTION: 操作系统勘测</p>
</li>
</ul>
<p>参考windows上有UI的nmap版本内置的扫描类型：</p>
<hr>
<figure class="highlight mipsasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><code class="hljs mipsasm">Intense <span class="hljs-keyword">scan </span>                 nmap -<span class="hljs-built_in">T4</span> -A -v www.<span class="hljs-keyword">baidu.com</span><br><span class="hljs-keyword"></span><br>Intense <span class="hljs-keyword">scan </span>plus UDP         nmap -sS -sU -<span class="hljs-built_in">T4</span> -A -v www.<span class="hljs-keyword">baidu.com</span><br><span class="hljs-keyword"></span><br>Intense <span class="hljs-keyword">scan, </span>all TCP ports   nmap -p <span class="hljs-number">1</span><span class="hljs-number">-65535</span> -<span class="hljs-built_in">T4</span> -A -v www.<span class="hljs-keyword">baidu.com</span><br><span class="hljs-keyword"></span><br>Intense <span class="hljs-keyword">scan, </span>no ping         nmap -<span class="hljs-built_in">T4</span> -A -v -Pn www.<span class="hljs-keyword">baidu.com</span><br><span class="hljs-keyword"></span><br>Ping <span class="hljs-keyword">scan </span>                    nmap -sn www.<span class="hljs-keyword">baidu.com</span><br><span class="hljs-keyword"></span><br>Quick <span class="hljs-keyword">scan </span>                   nmap -<span class="hljs-built_in">T4</span> -F www.<span class="hljs-keyword">baidu.com</span><br><span class="hljs-keyword"></span><br>Quick <span class="hljs-keyword">scan </span>plus               nmap -sV -<span class="hljs-built_in">T4</span> -O -F \--version-light www.<span class="hljs-keyword">baidu.com</span><br><span class="hljs-keyword"></span><br>Quick traceroute              nmap -sn \--traceroute www.<span class="hljs-keyword">baidu.com</span><br><span class="hljs-keyword"></span><br>Regular <span class="hljs-keyword">scan </span>                 nmap www.<span class="hljs-keyword">baidu.com</span><br><span class="hljs-keyword"></span><br>Slow comprehensive <span class="hljs-keyword">scan </span>      nmap -sS -sU -<span class="hljs-built_in">T4</span> -A -v -PE -PP -PS80,<span class="hljs-number">443</span> -PA3389 -PU40125 -PY -g <span class="hljs-number">53</span> \--<span class="hljs-keyword">script </span>\<span class="hljs-string">&quot;default or (discovery and safe)\&quot; www.baidu.com</span><br></code></pre></td></tr></table></figure>


<hr>
<h1 id="利用Nmap实施网络扫描"><a href="#利用Nmap实施网络扫描" class="headerlink" title="利用Nmap实施网络扫描"></a>利用Nmap实施网络扫描</h1><h2 id="主机发现"><a href="#主机发现" class="headerlink" title="主机发现"></a>主机发现</h2><h3 id="原理"><a href="#原理" class="headerlink" title="原理"></a>原理</h3><p>当网络不通时，我们需要ping一下主机，检查网关是否正常，这与主机发现原理一样。当测试目标是一个网络时，在线的主机才是我们的用主机发现的目标，nmap中提供了许多主机发现的方法，大多与TCP/IP协议簇中的协议有关。</p>
<ul>
<li>1、跳过ping扫描阶段：</li>
</ul>
<p>nmap进行其他扫描之前都会对目标进行一个ping扫描。如果目标对ping 扫描无反应将结束整个扫描过程。这种方法可以跳过那些没有响应的主机，从而节省大量时间，但如果目标在线只是采用某种手段屏蔽了ping 扫描，从而躲过我们的其他扫描操作，我们可以指定无论目标是否响应ping 扫描，毒药将整个扫描过程完整的参数呈现出来；如 nmap -PN 192.168.169.131。</p>
<ul>
<li>2、仅使用ping协议进行主机发现：</li>
</ul>
<p>有时需要对大量的主机扫描，nmap如果对一个目标主机采取各种手段进行扫描会花费大量时间。这时我们只对目标主机进行扫描。如 nmap -sP 192.168.169.131。</p>
<ul>
<li>3、使用ARP协议进行主机发现：</li>
</ul>
<p>当目标主机与我们处于同一网段时，使用ARP协议扫描是最佳选择。不仅速度快，扫描结果精准。因为没有任何的安全措施会阻止正常的arp请求。如 nmap -PR 192.168.169.131。</p>
<ul>
<li>4、使用TCP协议进行主机发现：</li>
</ul>
<p>TCP协议主要是三次握手构成，主动端发送syn报文，被动端回应syn+ack报文，然后主动端回应ack。利用此过程，nmap向目标发送syn报文，如果对方回应了syn+ack则说明在线。半开扫描，如nmap -sS 192.168.169.131。全开扫描，如nmap -sT 192.168.169.131。</p>
<ul>
<li>5、使用UDP协议进行主机发现：</li>
</ul>
<p>UDP相比较TCP简单，但扫描时并不比TCP协议方便，而且花费时间长，因此这种扫描不常用。如nmap -sU 192.168.169.131。</p>
<h3 id="用法"><a href="#用法" class="headerlink" title="用法"></a>用法</h3><p>通常主机发现并不单独使用，而只是作为端口扫描、版本侦测、OS侦测先行步骤。而在某些特殊应用（例如确定大型局域网内活动主机的数量），可能会单独专门适用主机发现功能来完成。</p>
<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><code class="hljs routeros">HOST DISCOVERY:<br>  -sL: List Scan - simply list targets <span class="hljs-keyword">to</span> scan<br>  -sn:<span class="hljs-built_in"> Ping </span>Scan - <span class="hljs-built_in">disable</span><span class="hljs-built_in"> port </span>scan<br>  -Pn: Treat all hosts as online -- skip host<span class="hljs-built_in"> discovery</span><br><span class="hljs-built_in"></span>  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP <span class="hljs-keyword">or</span> SCTP<span class="hljs-built_in"> discovery </span><span class="hljs-keyword">to</span> given ports<br>  -PE/PP/PM: ICMP echo, timestamp, <span class="hljs-keyword">and</span> netmask request<span class="hljs-built_in"> discovery </span>probes<br>  -PO[protocol list]:<span class="hljs-built_in"> IP </span>Protocol<span class="hljs-built_in"> Ping</span><br><span class="hljs-built_in"></span>  -n/-R: Never <span class="hljs-keyword">do</span><span class="hljs-built_in"> DNS </span>resolution/Always resolve [default: sometimes]<br>  --dns-servers &lt;serv1[,serv2],<span class="hljs-built_in">..</span>.&gt;: Specify custom<span class="hljs-built_in"> DNS </span>servers<br>  --system-dns: Use OS<span class="hljs-string">&#x27;s DNS resolver</span><br><span class="hljs-string">  --traceroute: Trace hop path to each host</span><br></code></pre></td></tr></table></figure>

<p>其中，比较常用的使用的是-sn，表示只单独进行主机发现过程；-Pn表示直接跳过主机发现而进行端口扫描等高级操作（如果已经确知目标主机已经开启，可用该选项）；-n，如果不想使用DNS或reverse DNS解析，那么可以使用该选项。</p>
<h3 id="操作"><a href="#操作" class="headerlink" title="操作"></a>操作</h3><p>命令：<code>nmap -sn IP</code></p>
<img src="https://imgbed.cheney.cc/picgo/image-20220305141911689-20220405204358009-20220405211130996.png" srcset="/img/loading.gif" lazyload alt="image-20220305141911689" style="zoom:50%;" />

<h2 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a>端口扫描</h2><h3 id="原理-1"><a href="#原理-1" class="headerlink" title="原理"></a>原理</h3><p>nmap向目标主机发送报文并根据返回报文从而认定端口的6种状态。（注意：这六种状态只是namp认为的端口状态，例如：有些主机或者防火墙会返回一些不可靠的报文从而妨碍nmap对端口开放问题的确认）。</p>
<ul>
<li><p>Open（开放的）：端口处于开放状态，意味着目标机器上的应用程序正在该端口监听连接/报文；</p>
</li>
<li><p>Closed（关闭的）：端口处于关闭状态。这里我们值得注意的是关闭的端口也是可访问的，只是该端口没有应用程序在它上面监听，但是他们随时可能开放；</p>
</li>
<li><p>Filtered（过滤的）：由于包过滤阻止探测报文到达端口， Nmap 无法确定该端口是否开放。过滤可能来自专业的防火墙设备，路由器规则或者主机上的软件防火墙；</p>
</li>
<li><p>Unfiltered（未被过滤的）：意味着端口可访问，但 Nmap 不能确定它是开放还是关闭。这种状态和filtered的区别在于：unfiltered的端口能被nmap访问，但是nmap根据返回的报文无法确定端口的开放状态，而filtered的端口直接就没能够被nmap访问。端口被定义为Unfilterd只会发生在TCP ack扫描类型时当返回RST的报文。而端口被定义为filtered 状态的原因是是报文被防火墙设备，路由器规则，或者防火墙软件拦截，无法送达到端口，这通常表现为发送NMAP的主机收到ICMP报错报文，或者主机通过多次重复发送没有收到任何回应）。</p>
</li>
<li><p>Open|filtered状态：这种状态主要是nmap无法区别端口处于open状态还是filtered状态。这种状态只会出现在open端口对报文不做回应的扫描类型中，如：udp，ip protocol ，TCP null，fin，和xmas扫描类型。</p>
</li>
<li><p>Closed|filtered状态：这种状态主要出现在nmap无法区分端口处于closed还是filtered时。</p>
</li>
</ul>
<h3 id="用法-1"><a href="#用法-1" class="headerlink" title="用法"></a>用法</h3><p>扫描方式选项</p>
<figure class="highlight gradle"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><code class="hljs gradle">SCAN TECHNIQUES:<br>  -sS<span class="hljs-regexp">/sT/</span>sA<span class="hljs-regexp">/sW/</span>sM: TCP SYN<span class="hljs-regexp">/Connect()/</span>ACK<span class="hljs-regexp">/Window/M</span>aimon scans<br>  -sU: UDP Scan<br>  -sN<span class="hljs-regexp">/sF/</span>sX: TCP <span class="hljs-keyword">Null</span>, FIN, and Xmas scans<br>  --scanflags &lt;flags&gt;: Customize TCP scan flags<br>  -sI &lt;zombie host[:probeport]&gt;: Idle scan<br>  -sY<span class="hljs-regexp">/sZ: SCTP INIT/</span>COOKIE-ECHO scans<br>  -sO: IP protocol scan<br>  -b &lt;FTP relay host&gt;: FTP bounce scan<br></code></pre></td></tr></table></figure>

<p>端口参数与扫描顺序：</p>
<figure class="highlight mipsasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs mipsasm">PORT SPECIFICATION <span class="hljs-keyword">AND </span><span class="hljs-keyword">SCAN </span><span class="hljs-keyword">ORDER:</span><br><span class="hljs-keyword"></span>  -p &lt;port ranges&gt;: Only <span class="hljs-keyword">scan </span>specified ports<br><span class="hljs-symbol">    Ex:</span> -p22<span class="hljs-comment">; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9</span><br>  --exclude-ports &lt;port ranges&gt;: Exclude the specified ports from <span class="hljs-keyword">scanning</span><br><span class="hljs-keyword"></span>  -F: Fast mode - <span class="hljs-keyword">Scan </span>fewer ports than the default <span class="hljs-keyword">scan</span><br><span class="hljs-keyword"></span>  -r: <span class="hljs-keyword">Scan </span>ports consecutively - don<span class="hljs-string">&#x27;t randomize</span><br><span class="hljs-string">  --top-ports &lt;number&gt;: Scan &lt;number&gt; most common ports</span><br><span class="hljs-string">  --port-ratio &lt;ratio&gt;: Scan ports more common than &lt;ratio&gt;</span><br></code></pre></td></tr></table></figure>



<h3 id="操作-1"><a href="#操作-1" class="headerlink" title="操作"></a>操作</h3><p>命令：<code>nmap --sS --sU --T4 --top-ports 300 www.baidu.com</code></p>
<p>参数：</p>
<p>-sS表示使用TCP SYN方式扫描TCP端口；</p>
<p>-sU表示扫描UDP端口；</p>
<p>-T4表示时间级别配置4级；</p>
<p>--top-ports 300表示扫描最有可能开放的300个端口（TCP和UDP分别有300个端口）。</p>
<img src="https://imgbed.cheney.cc/picgo/image-20220305142104990-20220405204414953-20220405211131035.png" srcset="/img/loading.gif" lazyload alt="image-20220305142104990" style="zoom:50%;" />

<p>从上图中，我们看到扫描结果，在扫描的300个端口中，有298个是关闭的；开放的 分别是80和443端口。</p>
<h2 id="版本侦测"><a href="#版本侦测" class="headerlink" title="版本侦测"></a>版本侦测</h2><h3 id="原理-2"><a href="#原理-2" class="headerlink" title="原理"></a>原理</h3><p>版本侦测主要分为以下几个步骤：</p>
<ul>
<li><p>  首先检查open与open|filtered状态的端口是否在排除端口列表内。如果在排除列表，将该端口剔除。</p>
</li>
<li><p>  如果是TCP端口，尝试建立TCP连接。尝试等待片刻（通常6秒或更多，具体时间可以查询文件nmap-services-probes中Probe TCP NULL q||对应的totalwaitms）。通常在等待时间内，会接收到目标机发送的”WelcomeBanner”信息。nmap将接收到的Banner与nmap-services-probes中NULL probe中的签名进行对比。查找对应应用程序的名字与版本信息。</p>
</li>
<li><p>  如果通过”Welcome Banner”无法确定应用程序版本，那么nmap再尝试发送其他的探测包（即从nmap-services-probes中挑选合适的probe），将probe得到回复包与数据库中的签名进行对比。如果反复探测都无法得出具体应用，那么打印出应用返回报文，让用户自行进一步判定。</p>
</li>
<li><p>  如果是UDP端口，那么直接使用nmap-services-probes中探测包进行探测匹配。根据结果对比分析出UDP应用服务类型。</p>
</li>
<li><p>  如果探测到应用程序是SSL，那么调用openSSL进一步的侦查运行在SSL之上的具体的应用类型。</p>
</li>
<li><p>  如果探测到应用程序是SunRPC，那么调用brute-force RPC grinder进一步探测具体服务。</p>
</li>
</ul>
<h3 id="用法-2"><a href="#用法-2" class="headerlink" title="用法"></a>用法</h3><figure class="highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><code class="hljs vim">SERVICE/VERSION DETECTION:<br>  -sV: Probe <span class="hljs-keyword">open</span> ports <span class="hljs-keyword">to</span> determine service/<span class="hljs-keyword">version</span> info<br>  --<span class="hljs-keyword">version</span>-intensity <span class="hljs-symbol">&lt;level&gt;</span>: Set from <span class="hljs-number">0</span> (light) <span class="hljs-keyword">to</span> <span class="hljs-number">9</span> (<span class="hljs-keyword">try</span> <span class="hljs-keyword">all</span> probes)<br>  --<span class="hljs-keyword">version</span>-light: Limit <span class="hljs-keyword">to</span> most likely probes (intensity <span class="hljs-number">2</span>)<br>  --<span class="hljs-keyword">version</span>-<span class="hljs-keyword">all</span>: Try every single probe (intensity <span class="hljs-number">9</span>)<br>  --<span class="hljs-keyword">version</span>-trace: Show detailed <span class="hljs-keyword">version</span> scan activity (<span class="hljs-keyword">for</span> debugging)<br></code></pre></td></tr></table></figure>



<h3 id="操作-2"><a href="#操作-2" class="headerlink" title="操作"></a>操作</h3><p>命令：<code>nmap --sV www.baidu.com</code></p>
<img src="https://imgbed.cheney.cc/picgo/image-20220305142133908-20220405204424230-20220405211131089.png" srcset="/img/loading.gif" lazyload alt="image-20220305142133908" style="zoom:50%;" />

<p>从图中可知，本次一个扫描了1000个端口，其中有998个是关闭的。</p>
<p>对开开放的两个端口上的服务进行版本侦测的结如方框内显示。</p>
<h2 id="OS侦测"><a href="#OS侦测" class="headerlink" title="OS侦测"></a>OS侦测</h2><h3 id="原理-3"><a href="#原理-3" class="headerlink" title="原理"></a>原理</h3><p>Nmap使用TCP/IP协议栈指纹来识别不同的操作系统和设备。在RFC规范中，有些地方对TCP/IP的实现并没有强制规定，由此不同的TCP/IP方案中可能都有自己的特定方式。Nmap主要是根据这些细节上的差异来判断操作系统的类型的。</p>
<p>具体实现方式如下：</p>
<ul>
<li><p>Nmap内部包含了2600多已知系统的指纹特征（在文件nmap-os-db文件中）。将此指纹数据库作为进行指纹对比的样本库。</p>
</li>
<li><p>分别挑选一个open和closed的端口，向其发送经过精心设计的TCP/UDP/ICMP数据包，根据返回的数据包生成一份系统指纹。</p>
</li>
<li><p>将探测生成的指纹与nmap-os-db中指纹进行对比，查找匹配的系统。如果无法匹配，以概率形式列举出可能的系统。</p>
</li>
</ul>
<h3 id="用法-3"><a href="#用法-3" class="headerlink" title="用法"></a>用法</h3><figure class="highlight nestedtext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs nestedtext"><span class="hljs-attribute">OS DETECTION</span><span class="hljs-punctuation">:</span><br><span class="hljs-attribute">-O</span><span class="hljs-punctuation">:</span> <span class="hljs-string">Enable OS detection</span><br><span class="hljs-attribute">--osscan-limit</span><span class="hljs-punctuation">:</span> <span class="hljs-string">Limit OS detection to promising targets</span><br><span class="hljs-attribute">--osscan-guess</span><span class="hljs-punctuation">:</span> <span class="hljs-string">Guess OS more aggressively</span><br></code></pre></td></tr></table></figure>



<h3 id="操作-3"><a href="#操作-3" class="headerlink" title="操作"></a>操作</h3><p>命令：<code>nmap --O 127.0.0.1</code></p>
<img src="https://imgbed.cheney.cc/picgo/image-20220305142207580-20220405204428987-20220405211131141.png" srcset="/img/loading.gif" lazyload alt="image-20220305142207580" style="zoom:50%;" />

<p>从上图中可看到，指定-O选项后先进行主机发现与端口扫描，根据扫描到端口来进行进一步的OS侦测。获取的结果信息有设备类型，操作系统类型，操作系统的CPE描述，操作系统细节，网络距离等。</p>
<p>最后综合上述命令，对<a href="http://www.baidu.com执行一次加强的快速扫描：">www.baidu.com执行一次加强的快速扫描：</a></p>
<p>命令： <code>nmap -sV -T4 -O -F --version-light www.cug.edu.cn</code></p>
<img src="https://imgbed.cheney.cc/picgo/image-20220305142245486-20220405204436641-20220405211131214.png" srcset="/img/loading.gif" lazyload alt="image-20220305142245486" style="zoom:50%;" />

<p>通过上述结果，可以看出：</p>
<div class="code-wrapper"><pre><code class="hljs">本次侦测共用时5.38s。扫描了一个IP的100个端口，该主机在线。

扫描出5个运行中的服务，类型如上图。

暂时无法准确判断操作系统的类型，但是最有可能是FreeBSD和PC-BSD，对应的概率如上图所示。
</code></pre></div>
<h1 id="参考文献"><a href="#参考文献" class="headerlink" title="参考文献"></a>参考文献</h1><ol>
<li><p> 张星亮,张洪波.网络安全扫描工具的比较与分析[J].电脑知识与技术,2018,14(11):56-57.DOI:10.14004/j.cnki.ckt.2018.1200.</p>
</li>
<li><p> 俞海.基于Nmap网络扫描的场景仿真实验[J].绍兴文理学院学报(自然科学),2017,37(01):28-31.DOI:10.16169/j.issn.1008-293x.k.2017.07.005.</p>
</li>
</ol>

            </div>
            <hr>
            <div>
              <div class="post-metas mb-3">
                
                
                  <div class="post-meta">
                    <i class="iconfont icon-tags"></i>
                    
                      <a class="hover-with-bg" href="/tags/%E7%BD%91%E7%BB%9C/">网络</a>
                    
                  </div>
                
              </div>
              
                <p class="note note-warning">
                  
                    本博客所有文章除特别声明外，均采用 <a target="_blank" href="https://creativecommons.org/licenses/by-sa/4.0/deed.zh" rel="nofollow noopener noopener">CC BY-SA 4.0 协议</a> ，转载请注明出处！
                  
                </p>
              
              
                <div class="post-prevnext">
                  <article class="post-prev col-6">
                    
                    
                      <a href="/2022/03/08/%E5%9F%BA%E4%BA%8EHexo%E6%90%AD%E5%BB%BA%E4%B8%AA%E4%BA%BA%E5%8D%9A%E5%AE%A2/">
                        <i class="iconfont icon-arrowleft"></i>
                        <span class="hidden-mobile">基于Hexo搭建个人博客</span>
                        <span class="visible-mobile">上一篇</span>
                      </a>
                    
                  </article>
                  <article class="post-next col-6">
                    
                    
                      <a href="/2022/03/03/Caesar%E5%AF%86%E7%A0%81%E7%9A%84%E7%94%9F%E6%88%90%E4%B8%8E%E7%A0%B4%E8%A7%A3/">
                        <span class="hidden-mobile">Caesar密码的生成与破解</span>
                        <span class="visible-mobile">下一篇</span>
                        <i class="iconfont icon-arrowright"></i>
                      </a>
                    
                  </article>
                </div>
              
            </div>

            
          </article>
        </div>
      </div>
    </div>
    
      <div class="d-none d-lg-block col-lg-2 toc-container" id="toc-ctn">
        <div id="toc">
  <p class="toc-header"><i class="iconfont icon-list"></i>&nbsp;目录</p>
  <div class="toc-body" id="toc-body"></div>
</div>

      </div>
    
  </div>
</div>

<!-- Custom -->


    

    
      <a id="scroll-top-button" aria-label="TOP" href="#" role="button">
        <i class="iconfont icon-arrowup" aria-hidden="true"></i>
      </a>
    

    
      <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
     aria-hidden="true">
  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
    <div class="modal-content">
      <div class="modal-header text-center">
        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body mx-3">
        <div class="md-form mb-5">
          <input type="text" id="local-search-input" class="form-control validate">
          <label data-error="x" data-success="v"
                 for="local-search-input">关键词</label>
        </div>
        <div class="list-group" id="local-search-result"></div>
      </div>
    </div>
  </div>
</div>
    

    
  </main>

  <footer class="text-center mt-5 py-3">
  <div class="footer-content">
     <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><span>Hexo</span></a> <i class="iconfont icon-love"></i> <a href="https://cheney822.gitee.io/" target="_blank" rel="nofollow noopener"><span>备用网址</span></a> 
  </div>
  

  
  <!-- 备案信息 -->
  <div class="beian">
    <span>
      <a href="http://beian.miit.gov.cn/" target="_blank" rel="nofollow noopener">
        皖ICP备2022002876号-1
      </a>
    </span>
    
  </div>


  
</footer>


  <!-- SCRIPTS -->
  
  <script  src="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.js" ></script>
  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.css" />

  <script>
    NProgress.configure({"showSpinner":false,"trickleSpeed":100})
    NProgress.start()
    window.addEventListener('load', function() {
      NProgress.done();
    })
  </script>


<script  src="https://cdn.jsdelivr.net/npm/jquery@3/dist/jquery.min.js" ></script>
<script  src="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/js/bootstrap.min.js" ></script>
<script  src="/js/events.js" ></script>
<script  src="/js/plugins.js" ></script>

<!-- Plugins -->


  <script  src="/js/local-search.js" ></script>



  
    <script  src="/js/img-lazyload.js" ></script>
  



  



  
    <script  src="https://cdn.jsdelivr.net/npm/tocbot@4/dist/tocbot.min.js" ></script>
  
  
    <script  src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3/dist/jquery.fancybox.min.js" ></script>
  
  
    <script  src="https://cdn.jsdelivr.net/npm/anchor-js@4/anchor.min.js" ></script>
  
  
    <script defer src="https://cdn.jsdelivr.net/npm/clipboard@2/dist/clipboard.min.js" ></script>
  






  <script  src="https://cdn.jsdelivr.net/npm/typed.js@2/lib/typed.min.js" ></script>
  <script>
    (function (window, document) {
      var typing = Fluid.plugins.typing;
      var title = document.getElementById('subtitle').title;
      
        typing(title);
      
    })(window, document);
  </script>















<!-- 主题的启动项 保持在最底部 -->
<script  src="/js/boot.js" ></script>


</body>
</html>
